I live in a college town. At this time of the year, residents have a single battle cry: “They’re ba-ack!” The students are slowly migrating back to campus, here and at colleges across the country.
Students aren’t the only ones heading to college this fall. According to a new report by BitSight, hackers are also on their way to universities across the country. College networks see a dramatic rise in attacks during the academic year that runs from September to May.
The BitSight research took a unique look at network security on college campuses by breaking things down by athletic conferences. They focused on the so-called power conferences: SEC, ACC, Pac-12, Big Ten and Big 12, as well as the Ivy League. According to the report, these six conferences represent more than 2 million students and more than 11 million IP addresses.
The report, Powerhouses and Benchwarmers, found that, overall, universities are doing a poor job addressing security challenges, and it only gets worse when classes are in session. It breaks down the security efforts of each conference (unfortunately, the conference of my hometown university and alma mater finishes near the bottom). While it didn’t break down individual schools in the report, it did point out that schools that employ a CISO or other security leadership have better scores than those that do not. The report uses a rating system similar to a credit rating score to evaluate and rank the schools and conferences.
The biggest security problem, according to the report, is malware:
Higher education institutions experience high levels of malware infections, the most prevalent infection coming from the Flashback malware, which targets Apple computers. Other prominent malware include Adware and Conficker.
The conference that got the best rating? The Big 12, which is actually one of the smaller conferences. I’d personally like to see a breakdown of the individual schools and see how they all fit into their conference rankings. (And yes, I’d like to see where my school fits in because I know it has a director of security.)
What the report does break down for readers is which security threats have posed the biggest problems for each conference. For the Big 12, for instance, the biggest problem by far was a rootkit called Alureon. The Ivy League schools’ worst threat was Flashback.
I spoke with someone recently about security concerns in unexpected places, and I mentioned college campuses. She was surprised by that response. Security issues on colleges tend to get swept under the media carpet, unless it is a professor’s laptop that went missing and student or alumni information is hacked. You rarely hear about malware attacks. But they are happening and they are happening with more frequency. Stephen Boyer, founder and chief technology officer with BitSight, explained one reason why in a CNBC article:
Interestingly, these universities are a trove of intellectual property. It's difficult to quantify monetarily speaking, but if someone breaks into the machines used by grad students in the lab, they just saved themselves two years of research.
Not to mention, university campuses are a treasure mine of personal data. The 2 million students of these power conferences touch the surface of the total number of college students, and that doesn’t include faculty and staff and alumni and football season ticket holders.
As the report concludes, the culture of security (or the lack thereof) on college campuses isn’t going to change any time soon, so the report recommended this:
In order to effectively prioritize security on campus networks, security teams need expanded visibility into their current network vulnerabilities and quantitative benchmarks to compare against. Only when information security moves out of the IT department and becomes an institution strategic priority will higher education organizations effectively create an environment that secures sensitive personally identifiable information and intellectual property data. For many of these institutions, benchmarking and monitoring security performance is a good place to start.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba